Difference between revisions of "SAMBA Cross-Domain Trust File Server"

From Michael's Information Zone
Jump to navigation Jump to search
Line 87: Line 87:
  
 
===AD Authentication===
 
===AD Authentication===
====Using SSSD====
+
====Using winbind====
This process was not working when I got to the Windows Management side of things.<br>
 
*Install kerberose and related packages, will join later. <ref>https://github.com/sous-chefs/samba/issues/88</ref> Don't forget sssd-libwbclient.
 
<pre>
 
sudo yum install -y realmd krb5-workstation oddjob oddjob-mkhomedir sssd sssd-libwbclient
 
sudo systemctl enable --now sssd
 
sudo realm join -U <username> domain1.tld
 
</pre>
 
*At this point we want to make sure a domain security group can manage the share from a Windows server. In my case I created a linuxadmins group.
 
<pre>
 
net rpc rights grant 'DOMAIN1\lunixadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
 
</pre>
 
However, at the time of this writing I am unable to get this to work. Getting the following error
 
<pre>
 
Enter DOMAIN1\michael.mast's password:
 
Could not connect to server 127.0.0.1
 
The username or password was not correct.
 
Connection failed: NT_STATUS_LOGON_FAILURE
 
</pre>
 
  
====Using winbind====
 
Notes for using winbind instead of SSSD.<br>
 
 
<ref>https://wiki.centos.org/TipsAndTricks/WinbindADS</ref>
 
<ref>https://wiki.centos.org/TipsAndTricks/WinbindADS</ref>
 
<ref>https://www.server-world.info/en/note?os=CentOS_7&p=samba&f=3</ref>
 
<ref>https://www.server-world.info/en/note?os=CentOS_7&p=samba&f=3</ref>
 
<pre>
 
<pre>
sudo yum -y install samba-winbind samba-winbind-clients pam_krb5
+
sudo yum -y install samba-winbind samba-winbind-clients
sudo authconfig \
 
--enablekrb5 \
 
--krb5kdc=domain1.tld \
 
--krb5adminserver=domain1.tld \
 
--krb5realm=DOMAIN1.TLD \
 
--enablewinbind \
 
--enablewinbindauth \
 
--smbsecurity=ads \
 
--smbrealm=DOMAIN1.TLD \
 
--smbservers=domain1.tld \
 
--smbworkgroup=DOMAIN1 \
 
--winbindtemplatehomedir=/home/%U \
 
--winbindtemplateshell=/bin/bash \
 
--enablemkhomedir \
 
--enablewinbindusedefaultdomain \
 
--update
 
 
 
sudo net ads join -U michael.mast
 
sudo systemctl enable --now winbind
 
</pre>
 
====Other====
 
<pre>
 
 
sudo net ads join -U michael.mast
 
sudo net ads join -U michael.mast
 
</pre>
 
</pre>
Edit /etc/nsswitch.conf and add winbind for passwd and group, in example:
+
*Edit /etc/nsswitch.conf and add winbind for passwd and group, in example:
 
<pre>
 
<pre>
 
...
 
...
Line 145: Line 103:
 
...
 
...
 
</pre>
 
</pre>
Start services
+
*Start services
 
<pre>
 
<pre>
 
sudo systemctl enable --now smb
 
sudo systemctl enable --now smb
Line 151: Line 109:
 
sudo systemctl enable --now winbind
 
sudo systemctl enable --now winbind
 
</pre>
 
</pre>
Grant SeDiskOperatorPrivilege
+
*Grant SeDiskOperatorPrivilege
 
<pre>
 
<pre>
 
net rpc rights grant 'DOMAIN1\linuxadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
 
net rpc rights grant 'DOMAIN1\linuxadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
 
Enter DOMAIN1\michael.mast's password:
 
Enter DOMAIN1\michael.mast's password:
 
Successfully granted rights.
 
Successfully granted rights.
 +
</pre>
 +
 +
====FAILED : Using SSSD====
 +
This process was not working when I got to the Windows Management side of things.<br>
 +
*Install kerberose and related packages, will join later. <ref>https://github.com/sous-chefs/samba/issues/88</ref> Don't forget sssd-libwbclient.
 +
<pre>
 +
sudo yum install -y realmd krb5-workstation oddjob oddjob-mkhomedir sssd sssd-libwbclient
 +
sudo systemctl enable --now sssd
 +
sudo realm join -U <username> domain1.tld
 +
</pre>
 +
*At this point we want to make sure a domain security group can manage the share from a Windows server. In my case I created a linuxadmins group.
 +
<pre>
 +
net rpc rights grant 'DOMAIN1\lunixadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
 +
</pre>
 +
However, at the time of this writing I am unable to get this to work. Getting the following error
 +
<pre>
 +
Enter DOMAIN1\michael.mast's password:
 +
Could not connect to server 127.0.0.1
 +
The username or password was not correct.
 +
Connection failed: NT_STATUS_LOGON_FAILURE
 
</pre>
 
</pre>

Revision as of 09:48, 23 January 2020

Purpose

Existing file server is not configured properly. Will be moving this non-critical data to a new server running in AWS. Since I can live with some downtime if needed, it is much cheaper to use a small AWS instance than to use the expensive Windows based file service AWS offers.

Host

Host is t3a.small CentOS7 instance running on EC2. At the time of this writing CentOS8 is not available on the AWS store.
Though not a critical system, it will be holding sensitive data and I want native SELinux.

Config

Work in progress

Packages and Domain

  • Prep base OS with automatic updates and a firewall. Make sure to edit the yum-cron config to install security only, and to install updates after downloading.
sudo yum upgrade -y
  • Edit /etc/dhcp/dhclient.conf to include domain specific settings, then reboot.
prepend domain-search "domain1.tld", "domain2.tld";
prepend domain-name-servers 192.168.1.100, 192.168.1.101;
sudo hostnamectl set-hostname smbshare
sudo timedatectl set-timezone America/New_York
sudo yum -y install epel-release yum-cron firewalld
sudo systemctl enable --now firewalld
sudo systemctl enable --now yum-cron
sudo reboot -h now

Disk

  • Create partition, mount data disk, create fstab entry. The below is for general reference only and omits finding the UUID and what options to use.
sudo fdisk /dev/nvme1n1
sudo mkfs.xfs /dev/nvme1n1p1
sudo mount /dev/disk/by-uuid/556cfbd6-18cf-4721-934c-f35835ee89c8 /mnt/data/

Apply selinux context.

sudo semanage fcontext -a -t samba_share_t "/mnt/data(/.*)?"
sudo 

Samba Config

[1] [2]

  • Install samba
sudo yum -y install samba
  • This smb.conf global entry was created using the referenced wiki.samba.org links, as well as referencing a smb.conf file from a FreeNAS server.

In this case we also disable printing, as this is not used and one less service to be attacked.

[global]
        workgroup = DOMAIN1
        security = ADS
        realm = DOMAIN1.TLD
        idmap config *: backend = tdb
        idmap config *: range = 3000-7999
        idmap config DOMAIN1: backend = rid
        idmap config DOMAIN1: range = 10000-999999
        idmap config DOMAIN2: backend = rid
        idmap config DOMAIN2: range = 1000000-9999999
        allow trusted domains = yes
        winbind refresh tickets = Yes
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
        username map = /etc/samba/user.map
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
  • [3]Create file /etc/samba/user.map with the following
!root = DOMAIN1\michael.mast
  • Start services
sudo systemctl enable --now smb
sudo systemctl enable --now nmb
sudo smbcontrol all reload-config

AD Authentication

Using winbind

[4] [5]

sudo yum -y install samba-winbind samba-winbind-clients
sudo net ads join -U michael.mast
  • Edit /etc/nsswitch.conf and add winbind for passwd and group, in example:
...
passwd:     files winbind sss
...
group:      files winbind sss
...
  • Start services
sudo systemctl enable --now smb
sudo systemctl enable --now nmb
sudo systemctl enable --now winbind
  • Grant SeDiskOperatorPrivilege
net rpc rights grant 'DOMAIN1\linuxadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
Enter DOMAIN1\michael.mast's password:
Successfully granted rights.

FAILED : Using SSSD

This process was not working when I got to the Windows Management side of things.

  • Install kerberose and related packages, will join later. [6] Don't forget sssd-libwbclient.
sudo yum install -y realmd krb5-workstation oddjob oddjob-mkhomedir sssd sssd-libwbclient
sudo systemctl enable --now sssd
sudo realm join -U <username> domain1.tld
  • At this point we want to make sure a domain security group can manage the share from a Windows server. In my case I created a linuxadmins group.
net rpc rights grant 'DOMAIN1\lunixadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'

However, at the time of this writing I am unable to get this to work. Getting the following error

Enter DOMAIN1\michael.mast's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE